Tuesday, March 04, 2008

HIPAA's Worthless and Here's Why

Do you have disability insurance? Do you want to utilize it? Well, my friend, if you want to tap into the disability coffers, plan on surrendering your privacy and sign this "Medical Disclosure Authorization." It gives our special "Medical Disability Advisor" the right to transmit to the world your persoanl and medical history (including HIV status), HIPAA free!

I understand that any health information disclosed pursuant to this authorization will no longer be protected by the HIPAA Privacy Rule when received by Reed Group.

When relevant to my claim, Reed Group may re-disclose(without further authorization) this information to any of the following, (a)Any person or facility that attends, treats or examines me; (b) Any person or facility that impacts the determination of my claim or that coordinates my benefits, including without limitation the employer to the extent permitted by state or federal law; or (c) The Social Security Administration or a social security or vocational rehabilitation vendor. Reed Group and DePaul University may use information obtained pursuant to this authorization in any other claim matter they handle related to me. I understand that this authorization is necessary for the processing of my claim or reguest for medical restrictions and that failure to sign this authorization may impair or impede the processing of my claim or request for medical restrictions.

I understand my treatment provider will not base treatment, payment enrollment or eligibitity on the refusal to sign this authorization. However, I understand that such refusal may affect my eligibility for benefits under my employers disability policy.

I received this request to complete an "Attending Physician's Statement" for a patient to receive their disability insurance. It had this form attached (not yet signed by the patient). As we can clearly see, this patient's healthcare record will be "free and clear" from a HIPAA perspective if this patient signs this "Medical Disclosure Authorization." Everything and anything about their health is fair game... forever. Both this patient's employer and future insurers can use this information against this patient for any future claims (even if their health problem is resolved). Yet if this patient does not sign this form, then this patient will not likely receive the benefits for which this patient has paid for through deductions from their salary.

Welcome to the world of "Insurance Catch-22."

So why the heck do we even have HIPAA when insurers can play this game with our most private healthcare information?

Thank you for this excellent post. It raises the whole question of patient confidentiality, which frankly HIPAA doesn't do a whole lot to protect anyway.

Anyway it is interesting that the management of the Reed Group thinks that a patient can voluntarily relinquish their federal privacy rights under HIPAA. Once a federal law is enacted I don't think we get to choose whether to follow it or not.

I think that patients should routinely refuse to sign b.s. like this and then let the healthcare provider just try and refuse treatment or a claim.

The state Attorney General should be advised of this sleezy corporate behavior.

It's very helpful that you read the fine print for this form. What an unfair situation for the patient?

As the idea of HIPAA -- to protect patient confidentiality -- is a good one, a ridiculous waiver like this could (and probably should) be brought to court. It's unlikely the healthcare company will change their policy by the complaints of a few patients and providers.

It does at times seem to me that the only thing HIPPA does well and on a regular basis is to keep my specialists from communicating with each other. It seems insane to me to have me jump through hoops to have my nephrologist send a lab value to my cardiologist. It doesn't protect my information from anyone really. The same labwork that I can't have shared between specialist is shared with my insurance company by the lab and the insurance company posts it on the internet in a "secured site". The information is available on this site to the insurance companies' "Health Coach" who then shares it with the Occupational Health and Safety nurse where I work and it's allowed because the company I work for is self insured. In this whole cycle the only people who don't have those lab results are me and my cardiologist.

Remarkably, this "authorization" form uses an abbreviation ("HIPAA") without any explanation of the term, nor its ramifications for the patient, nor any link or reference to further information for the patient.

How many patients really know about the "HIPAA Privacy Rule?"

Forms like this would never fulfill our Institutional Review Board's requirements for "7th grade language" when assuring a person's ability to understand a consent form for a research project. Regretably, many patients do not have significant education levels. Should such a release form admonish this company's responsibility to assure the patient's understanding of HIPAA?

(I came here from Sandy's "Junk Science" blog, where I'm a regular reader and the news seems to get more scandalous daily.)

I have a question --

What about this?

In order to be enforceable, a contract cannot violate "public policy". For example, if the subject matter of a contract is illegal, you cannot enforce the contract. A contract for the sale of illegal drugs, for example, violates public policy and is not enforceable.

Wouldn't there be any grounds to support nullification of a waiver like that on the grounds that a HIPAA violation/complete contravention of HIPAA's original purpose is illegal?

(I know there's a counterargument to be made in terms of no obligation to have received insurance from the employer, blah blah, blah, but let's just start here.)

Failing that, would there be some argument of unenforceability on the grounds of coercion if there was no way the insured person could work/support his family without making use of the benefits?

If nothing else, could it be argued that given the reasonable expectations insured people have for disability insurance in the first place (because I can imagine it would only be a matter of time before some third party or employer would try to sneak a clause like that into regular old HEALTH insurance), wouldn't it be unenforceable on the grounds that it violates the insured's reasonable good faith expectations?

For another amazing story of absurd results of HIPAA: One of the battalion commanders in my brigade in Iraq was refused on a request to find out the status of an injured soldier, allegedly because of HIPAA. And yet apparently it's just this easy to require someone to take away any rights to privacy under that act. Amazing.

Reed Group probably used the justification that they need this waiver to take the necessary action to process this claim. And perhaps they actually believe this. If so, it would be another example of an organizational mentality that does not just have poor ethics, but a complete absence of ethics. All too common.

Constellation Energy Group a top 100 company in the U.S. just hired on the reed group to handle our new sick policy. If we, as workers do not disclose our personal medical history when out sick, then we will not be able to be paid sick time. It is the same disclosure at the top of this page. I would call this blackmail and a serious civil rights violation. When I call out sick to this reed group, I am not signing anything and calling my attorney.

A family member works at Constellation Energy and just received these exact two forms to be completed in 15 days of the absence as described in the other post. I called the Reed Group on their behalf to express my concerns about the consent form, more specifically, I read the line to them about not being protected by HIPAA. I also said that this sounded illegal and fishy to me. She got indignant. This is a huge concern of mine. An employer does not have the right to know all of your medical history and if Reed Group is employed by CENG who is protecting you? Has anyone contacted an attorney/attorney general about this?

This is a violation of patient privacy and illegal, it just has not affected the right people to be challenged in the court system. When “big brother” (in this case the Reed Group and the company you work for along with the insurance company collecting your premiums) want to commit something illegal they have to create some “loop holes” to skirt around liability (by you signing the disclosure form your giving them permission to violate your privacy, on the flip side by not signing the form you MAY risk your benefits). The patient also can take advantage of the “loop holes” that the Reed Group created for the patients benefit. Somewhere on that “medical disclosure form” they have to legally tell you how to “revoke” that disclosure form and usually it’s by a written letter stating your intentions. Simply sign their disclosure form and date, at the same time compose your letter to the Reed Group revoking your permission to be violated and date with the next days date.

About Me

Westby G. Fisher, MD, FACC is a board certified internist, cardiologist, and cardiac electrophysiologist (doctor specializing in heart rhythm disorders) practicing at NorthShore University HealthSystem in Evanston, IL, USA and is a Clinical Associate Professor of Medicine at University of Chicago's Pritzker School of Medicine. He entered the blog-o-sphere in November, 2005.
DISCLAIMER: The opinions expressed in this blog are strictly the those of the author(s) and should not be construed as the opinion(s) or policy(ies) of NorthShore University HealthSystem, nor recommendations for your care or anyone else's. Please seek professional guidance instead.